[trod123]

This is just one of many aspects of fingerprinting. Canvas is only a single element.

Each fingerprint component can be used to correlate other components, including TLS channel options which generally last the entire session the website is open for, or there's a network header that remains unchanged between NAT.

Given tens of thousands of potentially fingerprintable elements, you only need 5 relatively unique elements between people for a 1 in 1million, each point thereafter exponentially increases that uniqueness.

[nerdponx]

I don't work in ad tech, but I expect that there are strong diminishing returns on this kind of thing. Yes, it's theoretically possible to do all of this advanced stuff to correlate and identify the long tail of users who have obfuscated fingerprints. But if you are in the targeted advertising business, are those users really all that valuable to target? They are probably nerds who don't buy a lot of new stuff and block ads anyway. I expect that being unique, but distinct on each run of the fingerprint algorithm, is probably good enough, unless you are concerned about a very motivated attacker trying to stalk you.

On the other hand, there is also the fact that things like spoofing web APIs only goes so far. There are other fingerprinting techniques, such as measuring properties of the GPU, which might still uniquely identify your machine (how many people have such-and-such GPU in your ZIP code?).